SunScreen 3.2 Installation Guide

Chapter 7 Upgrading Your System

This chapter explains how to upgrade your system to SunScreen 3.2 from prior releases of SunScreen, as well as how to upgrade cryptographic modules.

Topics covered include:

Before You Upgrade

Caution -

The upgrade script removes and adds packages as needed. To avoid corruption of your existing configurations, do not attempt to remove or add packages manually.

Before installing SunScreen, complete the following tasks:

Since SunScreen 3.2 is only supported on the SPARC versions of Trusted Solaris 8 and Solaris 9, upgrade your operating system to the required level.
Ensure that the system you have identified to upgrade is secure.
When running the Solaris 8 software, install the recommended kernel and security patches from http://sunsolve.sun.com. In addition, make sure the following patches are installed:
- To upgrade a SunScreen EFS 3.0, revision A, system to SunScreen 3.2, you must first install the SunScreen EFS 3.0, revision A, patch that is available at: http://www.sun.com/software/securenet/securenet3/install.html.
  - SPARC: 108156 patch
  - Intel: 108157 patch
  Note -
  This patch is only required for SunScreen EFS 3.0, revision A. Refer to the README for instructions on installing the patch.
- For all installations:
  - SPARC 108528-06; Intel 108529-05: kernel update patch.
  - SPARC 109279-08; Intel 109280-08: /kernel/drv/ip patch.
- For systems with a qfe board installed:
  - SPARC 108806-02: Sun Quad Fast Ethernet qfe driver patch.
- For systems running Trusted Solaris 8:
  - SPARC 110337-02: Security CIPSO TCP kernel support patch.
Review custom scripts from SunScreen EFS 3.0 or SunScreen 3.1 because the directory structure has been changed in SunScreen 3.2.
Upgrading a SunScreen SPF-200 stealth system is performed differently than other SunScreen upgrades. (See "Upgrading From SunScreen SPF-200".)

To reduce network downtime consider transferring your SunScreen SPF-200 configurations to a new system and performing the upgrade on the new system. See "Upgrading From SunScreen SPF-200" in the SunScreen 3.2 Installation Guide.

Note -

After completing the upgrade from SunScreen EFS 1.1, 2.0, or from SunScreen SPF-200, you must review your packet filtering rules to verify the filtering order because SunScreen 3.2 uses ordered packet filtering rules and ordered NAT mappings. Also, be aware that NAT mappings changed considerably in SunScreen EFS 3.0 from the NAT mappings used in prior releases of SunScreen. See "Packet Filtering" and "Network Address Translation" in SunScreen 3.2 Administrator's Overview for details on packet filtering rules and NAT mappings.

The order in which you install the upgrade software is different from an initial installation. Upgrading requires that you first install it on the Screen and then on the Administration Station. This order prevents damage to the existing policies and makes communication easier between the Administration Station and the Screen.

Caution -

To retain your existing SunScreen policy configuration files, you must take special care when upgrading to SunScreen 3.2. Do not remove your existing software packages unless you are instructed to do so.

Before installing the SunScreen software, review the SunScreen 3.2 Release Notes for the latest product information.

Upgrading to SunScreen 3.2

The following includes overview information as well as instructions for upgrading to SunScreen 3.2 from SunScreen EFS 1.1, 2.0, and 3.0, and from SunScreen 3.1 and SunScreen 3.1 Lite.

If you are upgrading from SunScreen EFS 1.1 or 2.0, your system upgrades to SunScreen 3.2 in routing mode. If you are upgrading from SunScreen EFS 3.0, SunScreen 3.1, or SunScreen 3.1 Lite, the current mode of your system is preserved.

The upgrade procedure automatically backs up your previous SunScreen policies, certificates, and packages in case the upgrade fails. It does not, however, save your existing log files, thus, before beginning the upgrade procedure, save your existing log files according to your specific SunScreen EFS 1.1, 2.0, or 3.0, or SunScreen 3.1 documentation, if needed. Also at this time, make any other system backups according to your standard Solaris backup procedures, if needed. Next, the program automatically removes your old SunScreen software packages and installs the SunScreen 3.2 software packages.

Note -

For the commands you use to back up this information, refer to the documentation that accompanied your release of SunScreen.

The following procedures describe how to upgrade both locally and remotely administered Screens.

Caution -

To retain your existing policies and SKIP keys and certificates (including your system's SKIP local identities) between software upgrades, do not remove /etc/opt/SUNWicg. Also, to retain your old remote administration rules, backup your /etc/skip directory, which contains all of your local keys, ACLs, and skipd.conf.

The following describes how to prepare to upgrade both locally and remotely administered systems:

Note -

If you use the command line, check the man pages and "Migrating From Earlier SunScreen Firewall Products" in the SunScreen 3.2 Administrator's Overview document for information regarding any commands or arguments that were removed or added since prior releases of SunScreen.

The following describes how to prepare both locally and remotely administered systems for upgrading.

Before proceeding, verify that all the software packages required for your operating environment are installed. That is, in addition to the Solaris Core Distribution software, and the Solaris End User Distribution software when using the administration GUI locally on the Screen itself, there are additional Solaris software packages required prior to installing the SunScreen 3.2 software, if not already on your system (see "Operating System Package Requirements" in the SunScreen 3.2 Installation Guide).

Caution -

Do not reinstall the Solaris Core Distribution software group when upgrading your system to SunScreen 3.2.

SunScreen 3.2 runs on Solaris 2.6, Solaris 7, and Solaris 8 operating environments for SPARC and Intel platform editions, as well as on Trusted Solaris 8. To upgrade your system, it must be running at least the Solaris 2.6 software because Solaris 2.5.1 or earlier software releases are not supported.

To Install the Prerequisite Solaris Packages and Kernel Patches on the Screen

Add the packages to the Screen from your Solaris software CD, if not already on your system.

For your locally-administered Screen to use the SunScreen administration GUI, you must install the End User Distribution of Solaris, as well as the following packages.

Caution -
Never install the End-System SKIP packages (SUNWes or SUNWesx) on a Screen.

If you are using Solaris 2.6 software, add the following patches in the following order, if not already on your system, by typing:

For SPARC platform edition systems:
# #cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc/Patches
# patchadd 106125-06
# patchadd 105181-11
# patchadd 105284-15
# patchadd 105490-04
# patchadd 106040-10
# patchadd 106409-01

Reboot by typing:
# sync; init 6

To Install the Solaris Packages on the Remote Administration Station

Add the packages to the Administration Station from your Solaris software CD, if not already on your system.

If you are using Solaris 2.6 software, add the following patches, if not already on your system, by typing:

For SPARC platform edition systems:
# #cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc/Patches
# patchadd 106125-06
# patchadd 105284-15
# patchadd 105490-04
# patchadd 106040-10
# patchadd 106409-01

Note -

In addition to the patches provided by SunScreen, make sure you install all recommended security patches available for your operating environment. For security reasons, always keep your operating environment up to date with available patches.

Upgrading a Screen

The following procedures explain how to upgrade a Screen to SunScreen 3.2 from SunScreen EFS 1.1, 2.0, 3.0, as well as from SunScreen 3.1 and SunScreen 3.1 Lite.

Note -

The upgrade software automatically backs up your previous SunScreen policies, certificates, and packages in case the upgrade fails. If you need to do other system backups or save other files, such as log files, do so now before upgrading your system to SunScreen 3.2. For the commands you use to back up this information, refer to the documentation that accompanied your release of SunScreen.

To Upgrade a Locally-Administered Screen

Caution -

To avoid corrupting your existing policies during an upgrade, do not run the SunScreen installer, which is run only for an initial installation.

Open a terminal window and become root, if not already.

Change to the directory containing the SunScreen 3.2 product.

#cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

Click the upgrade icon.
- The software automatically removes the existing SunScreen SKIP and SunScreen software packages.
- No confirmations are needed or accepted. The file and package names appear as output on your monitor. Wait until this completes.
- The SunScreen software is automatically installed and the file and package names appear as output.
- Your existing SunScreen policies are automatically converted to SunScreen 3.2 policies.
- If there are any conversion errors, they are itemized and appear on your monitor. Wait until this completes.

Reboot by typing:
# sync; init 6

Open a terminal window and become root, if not already.

List the policies that have been converted by typing:
# ssadm policy -l
Note -
After completing the upgrade from SunScreen EFS 1.1, or 2.0, you must review your packet filtering rules to verify the filtering order because SunScreen 3.2 uses ordered packet filtering rules and ordered NAT mappings. Also, be aware that NAT mappings changed considerably in SunScreen EFS 3.0 from the NAT mappings used in prior releases of SunScreen. See the SunScreen 3.2 Administrator's Overview for details on packet filtering rules and NAT mappings. See the SunScreen 3.2 Administrator's Overview for more details on packet filtering and ordered rules.

Choose the one policy that you want to activate by typing:
# ssadm activate configuration_name

To launch the SunScreen administration GUI, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and type the following URL:
http://localhost:3852

If you were upgrading your remotely-administered Screen and have completed the procedure for upgrading a locally-administered Screen, return to "To Upgrade a Remotely-Administered Screen".

For management information, see the SunScreen 3.2 Administration Guide.

To Upgrade a Remotely-Administered Screen

The following procedures explain how to upgrade a remotely-administered Screen to SunScreen 3.2 from SunScreen EFS 1.1, 2.0, 3.0, as well as from SunScreen 3.1 and SunScreen 3.1 Lite. Upgrading requires that for remote administration you install the upgrade software on the Screen first and then on the Administration Station.

To upgrade your remotely-administered Screen, use the same instructions as explained in "To Upgrade a Locally-Administered Screen".

To Upgrade the Remote Administration Station

Note -

Perform this procedure manually. Do not run the upgrade script on the Administration Station.

Open a terminal window on the Administration Station and become root, if not already.

Remove each SunScreen EFS 1.1, 2.0, 3.0, SunScreen 3.1, or SunScreen 3.1 Lite package individually by typing:

For SunScreen EFS 1.1:
# pkgrm SUNWicgSA 
 
For SunScreen EFS 2.0:
# pkgrm SUNWicgSA SUNWicgSD SUNWicgSM SUNWHJicg
 
For SunScreen EFS 3.0, SunScreen 3.1, and SunScreen 3.1 Lite:
# pkgrm SUNWicgSA SUNWicgSD SUNWicgSM SUNWicgSS 
SUNWdthj SUNWhttp

Note -

If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

Follow the program prompts and answer all the questions with y.

The pkgrm program ends with the statement: Removal of name_of_packagewas successful.

Remove the SKIP software packages by typing:

For SunScreen EFS 1.1 and 2.0:
# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg 
SICGkisup SICGbdcdr
 
For SunScreen EFS 3.0:
# pkgrm SUNWbdc SUNWbdcx SUNWrc2 SUNWrc4 
SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup
 
For SunScreen 3.1 and SunScreen 3.1 Lite:
# pkgrm SUNWbdc SUNWbdcx SUNWbdes SUNWbdesx 
SUNWrc2 SUNWrc4 SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup

Note -

If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

This next step applies to SunScreen EFS 1.1 and 2.0 systems only. (Any SunScreen EFS 3.0 or SunScreen 3.1 cryptography upgrades can be left on your system.) Remove any SKIP cryptography upgrades by typing:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup
Note -
If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

Reboot the system by typing:
# sync; init 6

Change to the directory containing the SunScreen 3.2 product.

#cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

Add the SunScreen 3.2 packages by typing:
# pkgadd -d .

Install the appropriate packages then type q to quit pkgadd.

(For SunScreen EFS 1.1 and 2.0 systems only) Move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/
1. Eject the CD-ROM by typing:
  # eject cdrom0
2. Reboot to complete the upgrade by typing:
  # sync; init 6
3. Open a terminal window and become root, if not already.

(For SunScreen EFS 1.1 and 2.0 systems only) Move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/
1. Eject the CD-ROM by typing:
  # eject cdrom0
2. Reboot to complete the upgrade by typing:
  # sync; init 6

To configure and manage your Screen from an Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the SunScreen administration GUI by typing the following URL:
http://name_of_screen:3852

Upgrading a High Availability System

High availability (HA) enables you to deploy groups of Screens together in situations in which the connection between a protected inside network and an insecure outside network is critical. At any time, one member of the HA cluster is the active Screen while the other members are passive. The passive Screens generate the same state as the active Screen but they do not forward traffic. When an active Screen fails, the passive Screen that has been running the longest takes over as the active Screen within 15 seconds. During the 15 seconds, no traffic goes through the HA cluster. An active Screen can be either a secondary Screen or a primary Screen, which administers the secondary Screens. (See "Using High Availability" in SunScreen 3.2 Administration Guide for details regarding creating an HA cluster.)

The actual upgrade procedure is run on the HA primary Screen, only. Before proceeding, manually remove any previously installed SunScreen software from the HA secondary Screens.

The general steps needed to upgrade an HA system running SunScreen EFS 2.0, 3.0, or SunScreen 3.1 are described as follows:

To Upgrade an HA System

Backup your SunScreen and SKIP configurations and logfiles.

For the commands you use to back up this information, refer to the documentation that accompanied your release of SunScreen.

On the HA secondary Screen:
1. Manually remove the SunScreen EFS 2.0, 3.0, or SunScreen 3.1 software packages, certificates, policies, and log files.
2. Run the SunScreen HA command to initialize the secondary.

On the HA primary Screen:
1. Run the upgrade program.
2. Complete the primary upgrade.

Complete the upgrade:
1. If upgrading from SunScreen EFS 2.0, define a screen object for each upgraded HA secondary Screen (see "Working With Screen Objects" in the SunScreen 3.2 Administration Guide).
2. Activate the desired policy.

To Upgrade the HA Secondary Screen

Before proceeding, remove any previously installed SunScreen software from the secondary Screen, manually.

On the secondary Screen, determine the name and HA network interface of the primary Screen's HA interface that is running the upgrade program by typing:
# ssadm edit Initial edit> list interface

On the primary Screen, determine the IP address of the primary Screen's HA interface by typing:
# ifconfig -a
This command lists all of the Solaris plumbed network interfaces. The IP address of the primary Screen's HA interface is listed with the HA network interface you determined previously.

To Remove the SunScreen Software

The following steps describe how to manually remove the SunScreen EFS 2.0, 3.0, or SunScreen 3.1 software packages, certificates, policies, and log files:

On the secondary Screen, open a terminal window and become root, if not already.

Remove the SunScreen software packages by typing:

For SunScreen EFS 2.0:

# pkgrm SUNWicgSS SUNWicgEF SUNWicgSM SUNWHJicg 
SUNWicgSD SUNWicgSA SUNWfwcnv

For SunScreen EFS 3.0:

# pkgrm SUNWicgSS SUNWicgSA SUNWicgSD SUNWicgSM 
SUNWdthj SUNWfwcnv SUNWhttp

For SunScreen 3.1:

# pkgrm SUNWicgSF SUNWicgSS SUNWicgSA SUNWicgSD 
SUNWicgSM SUNWdthj SUNWfwcnv SUNWhttp

Note -

If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

Remove any SKIP software packages by typing:
1. For SunScreen EFS 2.0:
  # pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr
2. For SunScreen EFS 3.0:
  # pkgrm SUNWbcd SUNWbdcx SUNWrc2 SUNWrc4 SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup SUNWsman
Note -
SunScreen 3.2 uses the same SKIP modules, plus a few additional packages, that were used by SunScreen 3.1.

For SunScreen EFS 3.1, if needed, remove any SKIP cryptography upgrades by typing:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup
Note -
Leave any cryptography upgrades for SunScreen EFS 3.0 and SunScreen 3.1 on your system.

Remove all previously installed SunScreen EFS certificates, configurations, and log files by typing:
# rm -rf /var/opt/SUNWicg /etc/opt/SUNWicg /etc/skip
Note -
After you reboot your system, physically remove the secondary node from the network to avoid leaving it unprotected. Only leave the HA network connected.

Reboot your system to complete the removal of the previously installed SunScreen software by typing:
# sync; init 6

To Install the Software on the HA Secondary Screen

Follow the procedure as described in "To Install HA on the Secondary HA Screen" in Chapter 5, "Using High Availability," in the SunScreen 3.2 Administration Guide.

To Upgrade the HA Primary Screen

Follow the procedure "To Upgrade a Locally-Administered Screen", then return to this section to complete the HA system upgrade.

For SunScreen EFS 2.0, when upgrading you must define the Screen's HA interface.

Before proceeding, you must know the following information:

The machine name of the HA primary Screen
The IP addresses on your dedicated HA network (for example 10.0.4.0 to 10.0.4.255)
The network interface to be used for HA communication (for example qfe0)
The name of the active policy configuration (for example Initial)

On the HA primary Screen, open a terminal window and become root, if not already.

The following is an example of what to type to define the primary Screen's HA interface:

# ssadm edit Initial
      edit> add address qfe0 RANGE 10.0.4.0 10.0.4.255
      edit> delete interface qfe0
      edit> add interface SCREEN haprimary qfe0 HA qfe0
      edit> save
      edit> quit

To Complete the HA Upgrade

For SunScreen EFS 3.0 or SunScreen 3.1:
1. On the primary Screen, activate the policy configuration by typing a command similar to the following:
  # ssadm activate Initial
Note -
It is now safe to reconnect your HA systems to the network.

For SunScreen EFS 2.0:

The remaining steps are performed on the upgraded primary Screen. These steps include initializing the primary interface, adding the HA secondary IP address, and activating the configuration.
1. Initialize the primary network interface by typing a command similar to the following:
  # ssadm ha init_primary qfe0
2. Add the IP address of the secondary HA Screen by typing a command similar to the following:
  # ssadm ha add_secondary 10.0.4.2
3. On the primary Screen, activate the policy configuration by typing a command similar to the following:
  # ssadm activate Initial
Note -
It is now safe to reconnect your HA systems to the network.

Upgrading From SunScreen SPF-200

The upgrade from SunScreen SPF-200 to SunScreen 3.2 requires a unique set of steps and can cause significant network downtime To reduce the downtime, consider transferring your SunScreen SPF-200 configurations to a new system and performing the upgrade on the new system.

Note -

Have your original SunScreen SPF-200 installation diskette nearby in the event that the upgrade procedure fails and you need to return your Screen to its original SunScreen SPF-200 configuration.

To Backup SunScreen SPF-200 and Install Patches

Backup the SunScreen SPF-200 Screen, referring to your SunScreen SPF-200 documentation, if needed.

The medium used for backing up your software and policies contains unencrypted, sensitive information. Store it in a secure location.

Note -
Save your existing log files according to your documentation because they are not backed up automatically.

Backup the SunScreen SPF-200 Administration Station, following regular Solaris software procedures.

The medium used for backing up your software and policies contains unencrypted, sensitive information. Store it in a secure location

Install Patch 105047-21 on the Administration Station and Screen, if not already installed.

This patch is available through Sun Service.

Mount the CD-ROM by typing:
# volcheck

From the Administration Station, install a special SunScreen SPF-200 patch on the Screen, by typing:
# ss_client Name_of_Screen ss_patch install noreboot < /cdrom/cdrom0/sparc/Patches/spfUpgradePatch.tar.Z
Note -
Install this patch only on the Screen. Do not install this patch on the Administration Station itself or on any other system. Also, do not reboot your system at this time.

To Install the Software on the SunScreen SPF-200 Screen

On the Administration Station, insert the SunScreen CD into the CD-ROM drive.

From the Administration Station, run a special script to gather the SunScreen SPF-200 Screen's configurations by typing:
# ss_client Name_of_Screen config2 > 200config.tar
Note -
Do not change the name of the 200config.tar file.

Caution -
This file contains sensitive information. Do not send this file over insecure lines. To move this file, use a diskette or a secured connection only.

Obtain your Administration Station's SKIP certificate ID by typing:
# skiplocal list
A list of SKIP encryption certificate IDs displays. The SKIP connection creates secure, encrypted communication between the Administration Station and the Screen.

Write down the correct SKIP certificate ID for your Administration Station.

On the Screen, reinstall your Solaris 2.6 , Solaris 7, or Solaris 8 software, following the instructions accompanying your Solaris CD.

Note -
You must reinstall the Solaris software because the version used with the SunScreen SPF-200 cannot be upgraded. You can now use a separate system to upgrade to.

On the Administration Station, verify that your operating environment is at least the Solaris 2.6 version.

On the Screen, using the same interface ID that the SunScreen SPF-200 used as its administration interface (for example, le0), configure that interface only.

See your Solaris software documentation, if necessary.

Remove the old SunScreen SPF-200 administration software by typing:
# pkgrm SUNWicgSA
Note -
If you did not originally install this package, do not run the pkgrm command.

Remove the old SKIP packages from the Administration Station by typing:
# pkgrmSICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr To remove any SKIP cryptographic upgrades: # pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup
Note -
If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

To Install the SunScreen 3.2 Software and Verify Installation

To prevent damage to the existing policies and make communication easier between the Administration Station and the Screen, upgrading requires you to first install the SunScreen software on the Screen and then on the Administration Station.

On the Screen, install the SunScreen software according to the instructions in "Installing in Stealth Mode With Remote Administration Using SKIP" in the SunScreen 3.2 Installation Guide.

On the Administration Station, install the SunScreen software according to the instructions in "Installing in Stealth Mode With Remote Administration Using SKIP" in the SunScreen 3.2 Installation Guide.

On the Administration Station, move the SKIP keys by typing:
# cp -rp /etc/sunscreen/skip/* /etc/skip/

Reboot the Administration Station by typing:
# sync; init 6
To enable remote administration between the Screen and Administration Station, you must create a new access control list (ACL) using the same SKIP MKID that was used by the SunScreen SPF-200 as its administration interface and a new Screen MKID.

Note -
For the new ACL to take affect, it is important that you follow the exact instructions for the remote Administration Station referenced by the administration GUI in the /etc/sunscreen/AdminSetup.readme file.

Replace the old ACL on the Administration Station with the new ACL using the existing key.

Note -
Ensure that your administration interface is the default because it is assumed by the skiphost commands. Specify a non-default interface.

Make sure that the date on the Screen and the Administration Station are synchronized.

To Verify Remote Administration and Convert Policies On the Screen

On the Administration Station, create a session on the Screen by typing:

# SSADM_TICKET_FILE=$HOME/.ssadmticket
# export SSADM_TICKET_FILE
# touch $SSADM_TICKET_FILE
# chmod go= $SSADM_TICKET_FILE
# ssadm -r Name_of_Screen login admin admin

On the Administration Station, verify that you are able to remotely administer the upgraded Screen by typing:
# ssadm -r Name_of_Screen active

On the Administration Station, begin the conversion of the SunScreen SPF-200 configurations to SunScreen 3.2 policies on the Screen by typing:
# ssadm -r Name_of_Screen spf2efs < 200config.tar

Verify your migrated configuration before activating it. To view and update the migrated configurations, open a Java-enabled Web browser and launch the SunScreen administration GUI by typing:
http://Name_of_Screen:3852
See "Using the Administration GUI" in the SunScreen 3.2 Administration Guide for instructions on using the administration GUI.

Note -
After completing the upgrade from SunScreen SPF-200, you must review your packet filtering rules to verify the filtering order because SunScreen 3.2 uses ordered packet filtering rules and ordered NAT mappings. Also, be aware that NAT mappings changed considerably in SunScreen EFS 3.0 from the NAT mappings used in prior releases of SunScreen. See the SunScreen 3.2 Administrator's Overview for more details on ordered rules and NAT mappings.

On the Administration Station, activate your migrated configuration by typing:
# ssadm -r Name_of_Screen activate Name_of_Configuration

Upgrading Cryptography Modules

U.S. export laws now allow the SunScreen Global default key size to be 4096 bit.

For the most current information regarding U.S. export laws, go to the Web site for The Bureau of Export Administration, U.S. Department of Commerce, at the following URL: http://www.bxa.doc.gov/.

Note -

When you upgrade the Administration Station, the former 512-bit SKIP MKID key and certificate is installed in the administration GUI. Because the administration GUI is not aware of the key size, you must check for this situation and create a new 4096-bit key on the Administration Station. Then, during installation, use the 4096-bit key as the administration certificate identifier.